Application and platform security
Applications and platform security is the basis of preventing vulnerabilities and attacks. Learn the latest about applications attacks, secure software development, patch management, OS security, virtualization, open source security, API security, web app and server security and more.
Top Stories
-
Tip
01 Jun 2023
Low-code/no-code use cases for security
Low-code/no-code development approaches have their fair share of security issues, but that doesn't mean they can't be used to benefit the security industry, too. Continue Reading
-
News
01 Jun 2023
Mitiga warns free Google Drive license lacks logging visibility
The ability to view logs is critical for enterprises to detect and attribute malicious activity. Mitiga said the Google Drive issue allows data exfiltration without a trace. Continue Reading
-
News
23 Mar 2017
DV certificates abused, but policing may not be possible
Research shows DV certificates can be a prime target for phishing and malware operators, but experts are unsure how certificate authorities should deal with the issue. Continue Reading
-
News
17 Mar 2017
Yahoo fallout: Minted authentication cookies raise concerns
Although minting authentication cookies is not widely understood, the Yahoo hacker indictments has brought it to the forefront and shown it can be very dangerous. Continue Reading
-
News
14 Mar 2017
Nine critical Windows security bulletins in Patch Tuesday
After its cancelled February Patch Tuesday, Microsoft's March 2017 Patch Tuesday includes nine critical Windows security bulletins targeting remote code execution flaws. Continue Reading
-
News
14 Mar 2017
Android ransomware and more pre-installed on devices
Security researchers found Android ransomware and malware pre-installed on popular devices, putting users at risk for information theft, tracking and more. Continue Reading
-
Answer
08 Mar 2017
How can attacks bypass ASLR protection on Intel chips?
An Intel chip flaw lets attackers bypass ASLR protection on most operating systems. Expert Michael Cobb explains the vulnerability and how to prevent attacks. Continue Reading
-
News
06 Mar 2017
FBI chooses to protect Tor vulnerability and dismiss child porn case
The Department of Justice dropped a child pornography case in order to avoid disclosing a Tor vulnerability; dozens more cases potentially affected. Continue Reading
-
News
03 Mar 2017
Slack hack threatened to expose user account data and messages
News roundup: A researcher discovers a Slack hack through stolen tokens. Plus, another WordPress flaw puts 1 million users at risk; Necurs botnet does DDoS now; and more. Continue Reading
-
Answer
02 Mar 2017
What should enterprises know about how a stored XSS exploit works?
A stored XSS exploit can be damaging to enterprises that aren't fully protected. Expert Matthew Pascucci explains what stored XSS attacks are and how to defend against them. Continue Reading
-
News
28 Feb 2017
Edge and IE vulnerability disclosed by Project Zero
Google Project Zero's 90-day disclosure policy bites Microsoft again, as a zero-day Edge and IE vulnerability is made public before a patch is available. Continue Reading
-
News
24 Feb 2017
Project Zero discovers Cloudflare bug leaking sensitive customer data
The Cloudflare bug in CDN is fixed after causing sensitive customer data to leak. Google Project Zero discovered the flaw, and users were warned to change passwords. Continue Reading
-
News
21 Feb 2017
Google discloses Windows vulnerability after canceled Patch Tuesday
Google Project Zero discloses a Windows vulnerability that passed the 90-day deadline. And it comes soon after Microsoft canceled its Patch Tuesday release. Continue Reading
-
News
17 Feb 2017
Microsoft Patch Tuesday February release delayed by a month
News roundup: Microsoft Patch Tuesday was canceled in February without a clear reason. Plus, APT28 is linked to new Mac malware; Lazarus targets more banks and more. Continue Reading
-
News
10 Feb 2017
Is the Ticketbleed flaw the new Heartbleed vulnerability?
News roundup: F5 virtual server flaw, dubbed Ticketbleed, is similar to Heartbleed. Plus, DHS is considering requiring social media passwords on visa applications, and more. Continue Reading
-
Podcast
08 Feb 2017
Risk & Repeat: Pentagon cybersecurity under fire
In this episode of SearchSecurity's Risk & Repeat podcast, editors discuss Pentagon cybersecurity amid reports of misconfigured servers at the U.S. Department of Defense. Continue Reading
-
Tip
07 Feb 2017
How Windows hardening techniques can improve Windows 10
Windows 10 may be the most secure Windows ever, but expert Ed Tittel explains how to use Windows hardening techniques to make systems even more secure. Continue Reading
-
News
07 Feb 2017
SQL Slammer worm makes a comeback 14 years later
The SQL Slammer worm returned to take down systems that have been left unpatched for the past 14 years, but experts are unsure if the attacks will continue. Continue Reading
-
News
03 Feb 2017
Microsoft delays Windows zero-day patch; researcher drops exploit code
Microsoft decided to delay a Windows zero-day patch by two months, prompting the researcher who found it to post the proof-of-concept exploit code. Continue Reading
-
News
26 Jan 2017
More than 200 vulnerabilities found in Trend Micro security products
Researchers uncovered more than 200 vulnerabilities across Trend Micro products, but experts said the company brand won't take a hit. Continue Reading
-
Podcast
25 Jan 2017
Risk & Repeat: Windows SMB warning raises questions, concerns
In this episode of SearchSecurity's Risk & Repeat podcast, editors discuss the Shadow Brokers' alleged exploit for Windows SMB and what it means for both enterprises and Microsoft. Continue Reading
-
News
25 Jan 2017
Project Zero finds Cisco WebEx vulnerability in browser extensions
A critical Cisco WebEx vulnerability in the service's browser extensions was discovered and patched, though some disagree the patch goes far enough to protect against attack. Continue Reading
-
News
19 Jan 2017
Windows 10 security tackles exploits, while Windows 7 gets a warning
As Microsoft touted its Windows 10 security features defeating unpatched zero-day vulnerabilities, it also warned customers about security issues with Windows 7. Continue Reading
-
News
19 Jan 2017
US-CERT reminds users that Windows SMB v1 needs to die
Experts say US-CERT is taking advantage of a potential -- but unverified -- vulnerability in Windows SMB v1 to remind enterprise users the outdated service should be disabled. Continue Reading
-
News
10 Jan 2017
January Patch Tuesday sparse before Windows security updates change
Microsoft offers up a meager January 2017 Patch Tuesday release before bigger changes planned for Windows security update announcements, which are set to take effect in February. Continue Reading
-
News
04 Jan 2017
SSL certificate validation flaw discovered in Kaspersky AV software
Google Project Zero discovers more antivirus vulnerabilities. This time, the issues are with how Kaspersky Lab handles SSL certificate validation and CA root certificates. Continue Reading
-
Answer
04 Jan 2017
How does a Linux vulnerability allow attacks on TCP communications?
A Linux vulnerability that affects 80% of Android devices allows for attacks on TCP communications and remote code execution. Expert Michael Cobb explains how to mitigate these risks. Continue Reading
-
News
03 Jan 2017
Decades-old bug in the libpng open source graphics library patched
A low-severity vulnerability dating back to 1995 in libpng, the official reference library implementation for PNG, may have enabled remote DoS attacks. Continue Reading
-
Feature
30 Dec 2016
Hacking Web Intelligence
In this excerpt from chapter 8 of Hacking Web Intelligence, authors Sudhanshu Chauhan and Nutan Panda discuss how to be anonymous on the internet using proxy. Continue Reading
-
News
16 Dec 2016
Vulnerable websites make up half of the internet's top sites
News roundup: A report finds nearly half the internet is filled with vulnerable websites. Plus, SWIFT confirms more hacks, Amit Yoran steps down from RSA and more. Continue Reading
-
Feature
29 Nov 2016
DNS Security: Defending the Domain Name System
In this excerpt from chapter two of DNS Security: Defending the Domain Name System, authors Allan Liska and Geoffrey Stowe discuss why DNS security is important. Continue Reading
-
Tip
02 Sep 2016
Planning for an IPv6 attack: DDoS, neighbor discovery threats and more
An IPv6 DDoS attacks are imminent, and your network security tools may not be configured for it. Expert Michael Cobb explains how enterprises can prepare its defenses. Continue Reading
-
Feature
25 Jul 2016
How to start building an enterprise application security program
Building an effective application security program can be daunting. Sean Martin talks with experts about the best first steps enterprises should take. Continue Reading
-
Blog Post
21 Jul 2016
Environment variables: Should they be considered harmful?
In the wake of the httpoxy vulnerability, should environment variables be considered harmful? Perhaps, but they are just so useful. Continue Reading
-
News
26 May 2016
Retiring obsolete SHA-1 and RC4 cryptographic algorithms, SSLv3 protocol
Microsoft speeds deprecation of SHA-1, Google dropping support for RC4, SSLv3, as web software publishers approach end of life for obsolete cryptographic algorithms and protocols. Continue Reading
-
News
06 May 2016
Commercial code riddled with open source vulnerabilities
Roundup: Customers, vendors both unaware of unpatched open source vulnerabilities in commercial software. Plus OpenSSL patches, warrantless wiretaps and more. Continue Reading
-
Answer
21 Apr 2016
How does the banking Trojan Dyreza exploit Windows 10?
A variant of banking Trojan Dyreza has begun to target Windows 10. Expert Nick Lewis explains the new attack functionalities, and Windows 10 and user vulnerabilities. Continue Reading
-
Tip
21 Apr 2016
Breaking down the DROWN attack and SSLv2 vulnerability
A DROWN attack can occur through more than a third of all HTTPS connections. Expert Michael Cobb explains how DROWN enables man-in-the-middle attacks and mitigation steps to take. Continue Reading
-
Answer
01 Mar 2016
Outdated apps: What are the best ways to address them?
Dead and outdated apps can pose serious security risks for enterprises. Expert Nick Lewis explains how to find and remove dead apps before they become a problem. Continue Reading
-
News
29 Jan 2016
OpenSSL patch fixes encryption flaw and strengthens Logjam defense
A new OpenSSL patch fixes a severe encryption flaw and strengthens the protocol against the Logjam vulnerability. Continue Reading
-
News
28 Jan 2016
Oracle closing an attack vector by deprecating the Java browser plug-in
Oracle announced plans to deprecate the Java browser plug-in, a noted attack vector, though the choice was not entirely its own. Continue Reading
-
Tip
11 Jan 2016
Microsoft Device Guard tackles Windows 10 malware
A new Microsoft security feature takes aim at Windows 10 malware. Expert Michael Cobb explains what enterprises should know about Device Guard. Continue Reading
-
Answer
30 Dec 2015
Should the RC4 cipher still be used in enterprises?
A newly discovered attack can break the RC4 cipher and decrypt user cookies. Expert Michael Cobb explains the attack and the relevance of RC4 in enterprises today. Continue Reading
-
Answer
28 Dec 2015
How can software transplants fix bad code?
Copying and pasting bad code into an application is a big problem for developers, but software transplants can help. Expert Michael Cobb explains the technology. Continue Reading
-
Answer
16 Nov 2015
Can Google's Chrome extension policy improve Web security?
The updated Chrome extension policy allows users and developers to only install extensions from the Chrome Web Store. Learn how this affects security and enterprise apps. Continue Reading
-
Feature
04 Nov 2015
Comparing the top Web fraud detection systems
Expert Ed Tittel explores the features of the top Web fraud detection systems and compares critical purchasing criteria. Continue Reading
-
Answer
14 Oct 2015
How should enterprises manage social media compliance incidents?
Social media compliance incidents in financial institutions are on the rise. Here are the most common violations and how to avoid them in the future. Continue Reading
-
Tip
06 Oct 2015
How to perform a forensic acquisition of a virtual machine disk
Virtualization expert Paul Henry provides a step-by-step guide to imaging a virtual machine disk (*flat.vmdk) in a forensically sound manner. Continue Reading
-
Opinion
05 Oct 2015
Can white-box cryptography save your apps?
With the Internet of Things, software-based secure elements could hold the key. Continue Reading
-
Opinion
01 Oct 2015
McGraw: Seven myths of software security best practices
According to expert Gary McGraw, you're not helping yourself by believing the things -- all seven of them -- you've heard about secure software development. Continue Reading
-
Feature
15 Sep 2015
Comparing the best Web application firewalls in the industry
Expert Brad Causey compares the best Web application firewalls on the market across three types of product types: cloud, integrated and appliance. Continue Reading
-
Answer
09 Sep 2015
Should the Netdump flaw deter enterprise ODL SDN use?
The benefits of the ODL SDN platform are promising, but what about the recent Netdump flaw it experienced? Expert Kevin Beaver discusses why you may not want to pass on OpenDayligh just yet. Continue Reading
-
Feature
20 Aug 2015
Introduction to Web fraud detection systems
Expert Ed Tittel explores the purpose of Web fraud detection systems and services, which are designed to reduce the risks inherent in electronic payments and e-commerce. Continue Reading
-
News
20 May 2015
Google changes Chrome extension policy amid security concerns
Google's new Chrome extension policy mandates that all users and developers must install web browser extensions from the Chrome Web Store. Continue Reading
-
News
07 May 2015
Malware detection tool tackles medical device security
WattsUpDoc, an embedded system security tool used to detect malware in medical devices, is now in beta testing at two major U.S. hospitals. Continue Reading
-
Feature
17 Mar 2015
Four questions to ask before buying a Web application firewall
Web application firewalls are complex products. Expert Brad Causey explains the key criteria enterprises need to consider before investing in a WAF product. Continue Reading
-
Feature
19 Feb 2015
Business-use scenarios for a Web application firewall deployment
Web application firewalls can be a critical security layer for many companies. Expert Brad Causey explains when and how to deploy a WAF in the enterprise. Continue Reading
-
Feature
17 Feb 2015
Introduction to Web application firewalls in the enterprise
Expert Brad Causey takes a close look at Web application firewalls, explains how WAF technology can prevent Internet-based attacks from known and unknown applications threats, and offers advice on WAF management and deployment. Continue Reading
-
Feature
15 Dec 2014
The Basics of Information Security
In this excerpt of The Basics of Information Security, author Jason Andress outlines methods for improving operating systems security. Continue Reading
-
Answer
01 Dec 2014
Can setting a cache-control header improve application data security?
Application security expert Michael Cobb reviews the cache-control header codes that can help prevent a Web application from storing sensitive data. Continue Reading
-
Answer
01 Dec 2014
Are LibreSSL and BoringSSL safe OpenSSL alternatives?
Since the revelation of the Heartbleed flaw, OpenSSL security has been put into question. Expert Michael Cobb discusses whether LibreSSL and BoringSSL could serve as OpenSSL alternatives. Continue Reading
-
Answer
19 Nov 2014
How can vishing attacks be prevented?
Enterprise threats expert Nick Lewis explains what vishing attacks are and offers best practices for defending against them. Continue Reading
-
Feature
29 Sep 2014
Malware Forensics Field Guide for Linux Systems: Digital Forensics Field Guides
In this excerpt of Malware Forensics Field Guide for Linux Systems: Digital Forensics Field Guides, the authors explain how to discover and extract malware from a Linux system. Continue Reading
-
Feature
21 Apr 2014
Investigating Internet Crimes: An Introduction to Solving Crimes in Cyberspace
This is an excerpt from the book Investigating Internet Crimes: An Introduction to Solving Crimes in Cyberspace by Todd G. Shipley and Art Bowker. Continue Reading
-
Feature
31 Mar 2014
Linux Malware Incident Response
In this excerpt from Linux Malware Incident Response, authors Cameron Malin, Eoghan Casey and James Aquilina discuss volatile data collection methodology, steps and preservation. Continue Reading
-
Feature
17 Mar 2014
Social Media Security
In this excerpt from Social Media Security, author Michael Cross offers a number of strategies to help ensure social media security. Continue Reading
-
Feature
03 Feb 2014
Tor networks: Stop employees from touring the deep Web
Are employees using Tor to view blocked Web sites, or mining Bitcoins on corporate resources? Sinister or not, it needs to stop. Continue Reading
-
Answer
12 Mar 2013
Bing security: Is search engine poisoning a problem for Bing users?
Is Microsoft's Bing search engine more susceptible to search engine poisoning than Google? Expert Michael Cobb discusses Bing security. Continue Reading
-
Quiz
18 Jan 2013
Quiz: Why SSL certificate security matters
In this five-question quiz, evaluate your knowledge of our Security School lesson on why SSL certificate security is important. Continue Reading
-
Opinion
17 Jan 2013
Thirteen principles to ensure enterprise system security
Designing sound enterprise system security is possible by following Gary McGraw's 13 principles, many of which have held true for decades. Continue Reading
-
Answer
31 Aug 2011
How to mitigate the risk of a TOCTTOU attack
Are TOCTTOU attacks, exploiting time-of-check-to-time-of-use race conditions, a threat to your enterprise file systems? Expert Michael Cobb discusses the dangers and how to mitigate them. Continue Reading
-
Tip
11 Mar 2011
Securing a multi-tenant environment
Learn some of the key elements for secure multi-tenancy. Continue Reading
-
Tip
03 Feb 2011
The hypervisor security patch management process
Enterprises using virtualization must include hypervisor patching in their patch management process. Robbie Higgins explains why. Continue Reading
-
Tip
30 Jul 2010
How to avoid attacks that exploit a Web browser vulnerability
Beyond patching, Tom Chmielarski explains what you'll need to do to avoid application exploits caused by Web browser vulnerabilities. Continue Reading
-
Answer
05 Jul 2010
Why it's important to turn on DEP and ASLR Windows security features
In the quest for application security, many developers are disabling or incorrectly implementing two important Windows security features. In this expert response, Michael Cobb explains why ASLR and DEP should always be turned on. Continue Reading
-
Tip
30 Mar 2010
Using Windows software restriction policies to stop executable code
Software restriction policies are one way to prevent known malware and file-sharing applications from taking control of your network. Continue Reading
-
Quiz
19 Nov 2009
Quiz: How to build secure applications
Use this five-question quiz to test your knowledge of how to secure your enterprise apps. Continue Reading
-
Tip
03 Nov 2009
Security benefits of virtual desktop infrastructures
In a highly regulated industry where security is critical, financial-services firms are turning to virtual desktop infrastructures. In this tip, Eric Ogren explains the security benefits of virtualized desktops and virtual workspace projects, including malware-resistant software configurations and enhanced data loss prevention. Continue Reading
-
Tip
23 Sep 2009
Determine your Microsoft Windows patch level
A handful of patch management tools from Microsoft and third -parties can help your organization determine your Windows patch level and identify missing security patches. Continue Reading
-
Answer
22 Sep 2009
How to prevent ActiveX security risks
Application expert Michael Cobb explains why ActiveX security relies entirely on human judgment. Continue Reading
-
Tip
18 Jun 2009
When BIOS updates become malware attacks
Most security pros don't give the system BIOS a second thought, or even a first one, but today's BIOS types are highly susceptible to malicious hackers. Information security threats expert Sherri Davidoff explains how attackers can plant BIOS malware and how security pros can thwart such attacks. Continue Reading
-
Tip
02 Mar 2009
How many firewalls do you need?
Whether your organizations needs multiple sets of firewalls depends on whether they will protect clients, servers or both and what kind of traffic they will monitor. Continue Reading
-
Answer
11 Feb 2009
How does a Web server model differ from an application server model?
A Web server model and an application server model share many similarities but require different defense methods. Each model, for example, calls for distinct placement of application servers. Continue Reading
-
Answer
14 Oct 2008
What are the basics of a Web browser exploit?
John Strand explains how attackers target a flaw in either the browser or in an application that the browser calls to process a Web request. Continue Reading
-
Tip
19 May 2008
Ophcrack: Password cracking made easy
Scott Sidel examines the open source security tool Ophcrack, a password cracking tool aimed at ensuring the strength of corporate passwords. Continue Reading
-
Answer
11 Feb 2008
What software development practices prevent input validation attacks?
Improper input validation leads to numerous kinds of attacks, including cross-site scripting, SQL injection and command injection. In this expert Q&A, Michael Cobb reviews the most important application development practices. Continue Reading
-
Tip
17 Jan 2008
Developing a patch management policy for third-party applications
Enterprises may push the latest critical Windows patches once a month, but here's a dirty little secret: Most organizations don't bother patching their third-party applications. The diversity of client-side software -- including everything from Acrobat Reader to iTunes -- complicates matters, but security professionals shouldn't lose hope. Effective patch management for third-party products is possible, and contributor Ed Skoudis has the tools to do it. Continue Reading
-
Tip
11 Oct 2007
Preparing for uniform resource identifier (URI) exploits
URIs have always been a user-friendly way to recognize and access Web resources. By crafting malicious URLs and manipulating protocol handlers, however, attackers have devised new attacks that take advantage of the URI's locator functionality. Web security expert Michael Cobb explains how the identifier exploits may start a fresh round of problems for developers and users alike. Continue Reading
-
Answer
31 May 2007
What are the drawbacks to application firewalls?
Application-layer firewalls examine ingoing and outgoing traffic more carefully than traditional packet-filtering firewalls, so why are some holding back on deployment? In this SearchSecurity.com Q&A, Michael Cobb reveals some cost and performance issues. Continue Reading
-
Answer
24 Apr 2007
What is an Nmap Maimon scan?
Systems are often designed to hide out on a network. In this SearchSecurity.com Q&A, network security expert Mike Chapple explains how Nmap Maimon scans can get a response out of them. Continue Reading
-
Answer
17 Jan 2007
Will two different operating systems cause administrative problems?
Using two different operating systems can often boost a company's security, but there are practical limitations to the enterprise practice. In this expert Q&A, Michael Cobb reveals how separate platforms can lead to deployment issues and higher development costs. Continue Reading
- Quiz 19 Jan 2006
-
Tip
15 Nov 2004
How to patch vulnerabilities and keep them sealed
Learn how to simplify the patch deployment process and employ methods that will reduce vulnerabilities. Continue Reading